Physical Security Testing

Service Overview ⫘

Secureworks will test your organization's physical defenses and monitoring. This offering comes in two different flavors: Escorted and Covert. An expert physical penetration tester will assess the physical perimeter of one of your organization's buildings for flaws, exploit the flaws, and attempt to gain access to one or more locations within the building (server closets, sensitive office areas, etc.).

Service Methodology ⫘

The Secureworks approach to physical penetration testing is rooted in an internally developed methodology, drawn from industry best practices and enriched by real-world field experience, including the expertise of veterans. Secureworks collaborates closely with you to determine the objectives of the assessment. Prior to the test, Secureworks will schedule a kickoff call to establish rules of engagement, points of contact, scope, risk acceptance, reporting requirements, test timelines, and schedules.

The activities performed during a penetration test can be highly tailored, depending on the customer's business vertical, building size, and location. However, for covert engagements, activities can typically include:

Open-Source Information Gathering: ⫘

Gathering information about the target organization, such as:
- Building location
- Floor plan
- Nearby Facilities
Identification of key personnel and third-party contractors.
Searching for sensitive data published on social media (e.g., employee pictures containing badges).

On-site Reconnaissance: ⫘

Visiting the target location to gather more detailed information about employees' routines and movements.
Identification of security measures, access points, surveillance systems, and potential entry points.

Engaging with employees or personnel to gather additional information through non-technical means.
Following employees in public areas to perform an RFID badge capture/clone.

Physical Access Attempt: ⫘

Attempting unauthorized access to the premises using various methods, such as tailgating or posing as a maintenance worker.
Evaluating the effectiveness of security controls in preventing unauthorized physical access using various methods, such as under-the-door tools, lockpicking tools, or a cloned RFID badge.

Insider Threat Simulation: ⫘

Attempts to gain access to restricted areas.
Examination of data present on desks to identify sensitive data such as passwords on post-its or critical business/customer data.
Internal network access via a drop-box, to complete any digital goals requested.

Outcome ⫘

Presentation of findings and deliverables compiled by Secureworks will be provided to you in the form of a report. The report will include the following:

Executive summary
Methods, detailed findings, narratives, and recommendations if any
Attachments as needed for relevant details and supporting data

In addition, Secureworks can perform a live debrief on-site during the last day of the engagement.

Scoping Information ⫘

Scope	Description
Physical Security Audit - Small	1 physical location / building. An escorted physical security audit, where the Secureworks consultant is escorted throughout the facility and notes any vulnerabilities or misconfigurations. This scenario simulates a malicious employee, or insider threat with basic access to the building. The customer will provide an access badge for the consultant to reach a general population location. Objectives may include: ensuring access controls in doors are properly enforced, security cameras are pointing in the correct direction, employees are not leaving sensitive data on desks, 802.1X is enforced on all Ethernet ports, etc. This scenario does not include employee interaction, social engineering, or any covert activities.
Physical Penetration Test - Medium	1 physical location / building. This scenario simulates an external threat covertly breaching into a building without prior knowledge from the security team. Objectives may include: Gaining physical access to C-suite level, extracting sensitive physical data, or deploying a dropbox into the internal network to establish remote access. Unlike the Physical Security Audit, this simulation may involve employee interaction and social engineering techniques to assess overall security preparedness against external threats.

Scope

Description

Physical Security Audit - Small

1 physical location / building.

An escorted physical security audit, where the Secureworks consultant is escorted throughout the facility and notes any vulnerabilities or misconfigurations. This scenario simulates a malicious employee, or insider threat with basic access to the building. The customer will provide an access badge for the consultant to reach a general population location. Objectives may include: ensuring access controls in doors are properly enforced, security cameras are pointing in the correct direction, employees are not leaving sensitive data on desks, 802.1X is enforced on all Ethernet ports, etc. This scenario does not include employee interaction, social engineering, or any covert activities.

Physical Penetration Test - Medium

1 physical location / building.

This scenario simulates an external threat covertly breaching into a building without prior knowledge from the security team. Objectives may include: Gaining physical access to C-suite level, extracting sensitive physical data, or deploying a dropbox into the internal network to establish remote access. Unlike the Physical Security Audit, this simulation may involve employee interaction and social engineering techniques to assess overall security preparedness against external threats.

Limitations ⫘

Due to the unique nature of physical social engineering, additional scoping will be required. This includes a scoping teleconference with a member of the Secureworks physical security testing team, and additional legal protections for both you and Secureworks.